Responsible Disclosure Policy

We appreciate security researchers who help keep our ecosystem safe.

Safe harbor

If you follow this policy when reporting a vulnerability, we will not initiate legal action or law enforcement investigation against you.

Scope

Report issues to security@nexnet.example. Out-of-scope: social engineering, DDoS, physical attacks.

Process

1. Encrypt details with our PGP key (fingerprint C6A1 1F85 2F42 1ACC E912 5D58 F244 8F3B D79B 9C1A).
2. Provide steps to reproduce, impact, and suggested remediation.
3. We acknowledge within 48 hours and aim to remediate within 30 days.

Recognition

We offer optional public thanks, swag, or charitable donations.